A
HackerOne is empowering the world to build a safer Internet. We provide a powerful and intuitive platform that enables security response teams to build effective vulnerability coordination programs.

Q

What is a vulnerability coordination program?

A
Also sometimes referred to as a "responsible disclosure" or "coordinated disclosure" program, it is the ability to receive vulnerability reports from people outside your organization and investigate and resolve the issue. Every organization should have an easy, confidential way to receive these reports, and a clear set of processes for communicating with the person reporting them. For more information, see ISO 29147 and ISO 30111.

Q

Who built HackerOne?

A
HackerOne was created by people who want to make the Internet safer for everyone, including the people who built Facebook's, Google's, and Microsoft's bug bounty programs.

Q

Why is vulnerability coordination and strong relationships between organizations and researchers important?

A
All technology contains bugs. Security bugs may be discovered by a member of the public in any given software, and how an organization responds to a vulnerability report from a security researcher reflects the maturity of the organization's security program. Maintaining positive relationships with security researchers is one of the most effective means of providing a safe and secure product by welcoming vulnerability reports. Our vulnerability coordination guidelines remove ambiguity from the reporting process to ensure that security bugs are addressed safely. Clearly defining permitted behavior through a guided process builds trust and prevents misunderstanding.

Q

What is a Bug Bounty?

A
A bug bounty is a cash reward that a grateful organization pays a hacker for reporting a vulnerability in the organization's product or online service. Companies successfully use bug bounties as a highly cost-effective way of discovering unknown vulnerabilities in publicly available products.

A
HackerOne makes getting started easy, a live demo only takes a few minutes. Get started here.

Q

How do I make running a program more easily manageable?

A
HackerOne provides the tools and automation to streamline the process of vulnerability coordination. Starting with a "soft launch", the platform guides you through the process in a controlled manner.

Q

What is a "soft launch"?

A
A soft launch is an invitation-only vulnerability response program hosted on HackerOne. It is a great way to get started without a formal public commitment. During the soft launch, you will be able to start with a small number of chosen, reputable researchers and progress at your own pace.

Q

Do you offer a managed bug bounty program?

A
Yes, through our network of expert partners, or any partner of your choosing! HackerOne partners with a number of expert security consultant organizations that can help you with temporary or permanent staff augmentation for your vulnerability response team. If you would like to bring in your own consulting partners, HackerOne will train them on how to use the platform most effectively.

Q

How much should I pay for bounties?

A
That all depends on you. The bounties already paid by programs on the HackerOne platform range from $100 - $20,000. Take a look at some of the other programs hosted by HackerOne, including our own HackerOne bounty program, to be inspired!

Q

How much does it cost to use your services?

A
The HackerOne vulnerability coordination platform is free to use. If you choose to offer a bug bounty, we charge a 20% commission. As part of our bounty payment service, we take care of getting the hackers paid, including getting them the right tax forms and removing that operational headache for you, so you can focus on getting your vulnerabilities fixed. Contact us for details at sales@hackerone.com

Q

Are my vulnerabilities safe going through the HackerOne platform?

A
All traffic to and from the HackerOne servers is encrypted. Your Response Team can use our IP whitelisting policy so your data can only be accessed from locations you control. Learn more about HackerOne security here.

Q

Do the HackerOne personnel get to see my vulnerabilities?

A
No. HackerOne works to provide organizations with the tools they need to successfully run their own vulnerability coordination program. As such, HackerOne personnel do not have access to your confidential vulnerability reports. HackerOne will never share your confidential data with any other parties of our own volition. We're also happy to accept submissions encrypted with the Response Team's PGP key. For further details, please view our Privacy Policy.

Q

Isn't there an ISO standard for Vulnerability Disclosure? Does HackerOne comply with this standard?

A
Yes, the International Standards Organization created ISO 29147 Vulnerability disclosure to help guide organizations on how to receive vulnerability reports from parties outside your organization, and how to disseminate vulnerability advisories. HackerOne can help your organization easily manage the vulnerability disclosure and coordination process via our automated platform.

Q

How can I find out more about the ISO standard on Vulnerability Disclosure?

A
HackerOne's Chief Policy Officer recorded a 20-minute video overview of the Vulnerability disclosure standard (29147) and a related ISO standard on vulnerability handling (30111) to help organizations understand what is included and how the standards are related. Watch it here.

Q

What are your policies regarding vulnerability disclosure?

A
The Bug Report will remain non-public to allow the Response Team sufficient time to publish a remediation. After the Response Team marks the vulnerability as "Resolved," either party can request public disclosure. If no action is taken, the Bug Report will be made public within 30 days. For more information, read our complete Disclosure Guidelines.

Q

What other incentives besides a cash reward could my organization offer?

A
The platform offers a built-in "Thanks" page to publicly recognize researchers who have helped you and your users with a security issue. Limited edition swag is often well-received, as are free coupons or vouchers for whatever services/products you offer. For researchers with the best contributions, considering offering to host them near your office for a lunch/drinks or cover their admission to conferences your team may be attending.

A
As a researcher submitting vulnerabilities through the HackerOne platform, your reputation measures how likely your finding is to be immediately relevant and actionable. Reputation is based exclusively on your track record as a researcher. There are a number of privileges that are gained by maintaining a high reputation, such as becoming eligible to receive invitations to early previews of upcoming bounty programs. On the flip side, should your reputation decrease, the system will gradually reduce the number of submissions allowed in a given time period. We believe it is critical to this community that response teams be afforded a high-signal environment so that they can focus on providing a quality response to researchers who turn in the best vulnerabilities. For more details, please see this post.

Q

How do I get invited to invitation-only soft launches?

A
You can increase your chance of being invited by being awesome and having a high reputation on the HackerOne platform. When you are invited, the one universal rule is to not talk about invitation-only soft launches.

Q

I found a vulnerability in an organization that is not listed on your site. What should I do?

A
If you are unable to find a published vulnerabiliy disclosure program for the organization, you can contact us and we'll try to help.

Q

What types of bugs qualify for bounties?

A
First, make certain you follow our general guidelines for vulnerability coordination and disclosure. Next, each Response Team has a unique set of criteria for what bugs are in scope, along with any special rules they'd like you to follow. Be certain to carefully read each individual team page before beginning any research or testing on their products.

Q

Who decides how much each bounty is?

A
The Response Team for the product or service you are testing will assess each individual report to determine its bounty eligibility. HackerOne does not have access to vulnerability reports and cannot decide bounty eligibility or bounty amounts.

Q

Can I report the bug via a third-party broker?

A
No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the Response Team.

Q

Do I have to prove the severity and exploitability of the vulnerability?

A
Not necessarily. The Response Team will make an assessment if necessary. However, the likelihood and size of a bounty may be positively influenced by a high quality report that provides details on severity and exploitability.

Q

When do I get my bounty?

A
We recommend that Response Teams reward bounties within 30 days of the resolution of a bug. Often, a full understanding of the vulnerability and its impact only becomes apparent after a fix has been developed.

Q

How do I get paid?

A
Once you've been notified of your first bounty award, you'll receive instructions on completing the appropriate tax from and setting your payout preferences.

Q

Can I remain anonymous?

A
Researchers may choose to remain anonymous through a pseudonym on the HackerOne platform. We will need to know your identity in order to pay your bounty to you. If you prefer to remain anonymous even to HackerOne support staff, you can still choose to anonymously donate your bounty to charity.

Q

Do I have to keep details confidential once the bug is fixed?

A
Absolutely not. We believe that open, collaborative sharing of information and research will drive our collective knowledge forward and help make us all safer. It's a great idea to coordinate the public disclosure of vulnerability details with the Response Team. After a bug has been resolved, you can request public disclosure in the bug report itself through the HackerOne platform.

Q

Is anyone ineligible for the bounties?

A
Unfortunately, we're unable to issue monetary payments to individuals on US embargo lists, or individuals in countries currently on US embargo lists. HackerOne complies with all AML rules, regulation, and compliance (including OFAC sanctions).

Q

I'm 12 years old and found a bug - can I get paid a bounty?

A
We allow payments to hackers of any age. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are under 13 years of age.

Q

Can I donate my bounty to a charity?

A
Absolutely! Some Response Teams may even increase the donation value in the event you decide to donate your bounty.

A
Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.

Q

Who is running the Internet Bug Bounty program?

A
The program is administered by an independent panel of security experts from the community. The Panel is responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise. The program is partially hosted by HackerOne.

Q

How is the program funded?

A
The Internet Bug Bounty program is sponsored by individuals and organizations who genuinely care about our collective security. Their contributions directly fund the bounties paid to researchers with no portion going to The Panel or HackerOne: 100% goes to researchers. Sponsors do not have any special access or rights to bug data. If you'd like to sponsor security research, let us know!

Q

What types of bugs qualify for bounties?

A
First, make certain you follow our general guidelines for vulnerability disclosure. Next, each Response Team has a unique set of criteria for what bugs are in scope along with any special rules they'd like you to adhere to. Be certain to carefully read each individual team page before beginning any research or testing on their products.

Q

Who decides how much each bounty is?

A
The Panel may provide general guidance on bounties, but the appropriate Response Teams will assess each individual report to determine its bounty eligibility. The Panel is available to meditate any disagreements that may arise.

Q

I'm a contributor to an open source project. Am I eligible?

A
Yes! However, we have two simple caveats: your involvement with the project is a labor of love as an unpaid volunteer, and you did not author or review the blamed commit.

Q

Is there an upper bound on the timeline for public disclosure?

A
180 days. Individual response teams are encouraged to set better (faster!) standards for themselves. We have an upper bound because one of our primary goals is to make software safer for everyone, and this only occurs if uncovered vulnerabilities actually get patched in a timely manner.

Q

What about software or services where the vendor already has a bounty program?

A
Where the vendor already has a reasonable bounty program in place, we request that you contact the vendor directly.

Q

Can I report the bug to you via a third-party broker?

A
No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the Response Team.

Q

Can I report the bug directly to the Response Team?

A
In most cases, yes. Please review the Response Team's profile for specifics on their accepted routes for submission.